I have not failed 10,000 times—I’ve successfully found 10,000 ways that will not work. For those keen historians amongst us, you will know I’m referencing the great Thomas Edison and the invention of the lightbulb. But how can someone who lived a century ago have quoted something with such relevance to the 21st century digital age? Because testing the theoretical is still the only way to confirm that what you have actually works. Whether it's Elon Musk testing his re-useable space rockets or something as simple as cooking a recipe for the first time, until it’s been tested, we do not know how it’s going to perform.
The same goes with your business resilience and Disaster Recovery Strategy. You have identified your critical assets and processes, assessed the risks to them and have put controls in place to mitigate those risks following a Business Impact Analysis. This looks good on paper and chances are that those controls you’ve implemented are effective at protecting you from most threats on a daily basis, but what happens if and when those controls fail or are circumvented? Hopefully, this is when your team will pull out the readily available incident response plans and spring into action like a well-oiled machine, but how confident are you of that being the reality in such a troubling scenario?
Putting aside the simple desire for any response to be slick just for your business’ sake, the external pressure on organisations to increase their resilience to breaches rises by the year, and the cyber security threat landscape we see today means it's tougher than ever to protect your critical assets. The announcement of the new NIS2 directive by the EU is set to change the regulatory landscape for many businesses across Europe, including UK based companies that do business in the EU. When that serious incident that you’ve planned for hits your business not only will your customers and partners expect you to be ready, but the regulators will also.
In the military the often-used slogan “train hard, fight easy” is always delivered with a grin to match the cheesiness of the phrase. They start off by practicing the basics until they become second nature right up to, at the sharp end, exercising in conditions as close as possible to those found on the battlefield. This allows leaders to troubleshoot problems with tactics, equipment and skillsets while embedding soldiers with confidence in themselves for that day when the theoretical becomes reality.
The same can be achieved by exercising your own plans. Running tabletop exercises allows you to test your processes and procedures to find out if they stand up when that business-critical system is compromised by an attacker at 3am on a Sunday morning. It lets you identify and correct flaws in your approach that you wouldn’t have otherwise known about. After all, it’s much better to discover a problem with your response plan when you’re practicing rather than when the consequences are real. A team that’s done it before and knows it works will be an order of magnitude more effective at putting a plan into effect than one whose first experience of that plan is trying to remember where it’s stored on your file storage, that is, if you still have access to your file storage!
The art of testing your defences is what ensures they are capable and versatile enough deter, withstand and respond. It’s a recurrent philosophy that’s integral to continual improvement. Finding holes and vulnerabilities can be difficult but setting up exercises to test your security doesn’t need to be complicated. Holding quarterly meetings to discuss incident response plans as well as team members roles and responsibilities or shutting down certain resources to see how quickly you can retrieve your backups. They all require communication and calm rational thinking coupled with excellent teamwork. The results of tabletop exercises often result in questions and process improvements. Questions and queries often lead to responses or process reviews with the extra benefit of collaboration and teamwork amongst departments, to improve an organisation’s preparedness and resilience.
The National Cyber Security Centre (NCSC) has recently launched a new Cyber Incident Exercising scheme, providing organisations with access to NCSC-assured exercising providers for the first time. In partnership with CREST and IASME, this initiative offers a structured approach to both tabletop and live-play cyber incident exercises, helping organisations to robustly practice their responses in a safe environment. Additionally, the NCSC's free "Exercise in a Box" tool allows businesses to test their incident response capabilities against a variety of generic cyber incident scenarios. By working with assured Cyber Incident Exercising providers, organisations can gain invaluable insights into their preparedness and ensure they are ready to face real-world cyber threats.1
Increasingly, legislation demands organised response plans along with effective redundant business continuity planning. Tabletop exercises are a critical tool at your disposal to ensure that you comply with that legislation and, just as importantly, keep your business, your assets and your people safe. If you would like to delve deeper into the subject and the resources - get in touch with info@torosolutions.co.uk.
We can exercise your plans, implement next generation tooling to keep you safe, offer up a Security Operation Centre [SOC] services, provide training in how to manage a crisis, conduct penetration testing in both the physical and cyber domain or, if you’re just starting out in your cyber security journey, Toro can conduct cyber and physical security reviews to help you identify & prioritise your risks. Remember, preparation is your ally. Train hard, fight easy!
References
1 https://www.ncsc.gov.uk/news/ncsc-launches-cyber-incident-exercising-scheme
https://iasme.co.uk/cyber-incident-exercising/
https://www.crest-approved.org/new-ncsc-cyber-incident-exercising-scheme-opens-for-business/
https://www.cyberscotland.com/new-ncsc-cyber-incident-exercising-scheme-opens-for-business/